This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 62%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
I am trying to enroll a Windows laptop into Intune in a hybrid environment. The device is domain-joined, and the enrollment group policy is correctly applied. I have successfully enrolled other devices using the same setup, but this particular device is failing to enroll.
When I run dsregcmd /status, I receive the following output:
+----------------------------------------------------------------------+
| Device State |
+----------------------------------------------------------------------+
AzureAdJoined : NO
EnterpriseJoined : NO
DomainJoined : YES
DomainName : NTE
Virtual Desktop : NOT SET
Device Name : Dxxxx.xxx.local
+----------------------------------------------------------------------+
| User State |
+----------------------------------------------------------------------+
NgcSet : NO
WorkplaceJoined : NO
WamDefaultSet : ERROR (0x80070520)
+----------------------------------------------------------------------+
| SSO State |
+----------------------------------------------------------------------+
AzureAdPrt : NO
AzureAdPrtAuthority : NO
EnterprisePrt : NO
EnterprisePrtAuthority : NO
+----------------------------------------------------------------------+
| Diagnostic Data |
+----------------------------------------------------------------------+
Diagnostics Reference : www.microsoft.com/aadjerrors
User Context : SYSTEM
Client Time : 2025-02-21 09:41:40.000 UTC
AD Connectivity Test : PASS
AD Configuration Test : PASS
DRS Discovery Test : FAIL [0x801c0021/0x801c0012] Request id: 6adb9d00-dd45-4998-9b9b-b154c80413ce
DRS Connectivity Test : SKIPPED
Token acquisition Test : SKIPPED
Fallback to Sync-Join : ENABLED
Fallback to Fed-Join : ENABLED
Previous Registration : 2025-02-20 16:48:28.000 UTC
Error Phase : discover
Client ErrorCode : 0x801c0021
Server ErrorCode : invalid_request
Server ErrorSubCode : ParameterValueInvalid
Server Operation : Discovery
Server Message : UPN suffix parameter contains spaces: 'Nxxxxxxx Txxxxxxx Exxxxx Lxxxxxxx'
Https Status : 400
Request Id : bfe91135-ebcd-4a4d-ba0b-294cd47296d3
+----------------------------------------------------------------------+
| IE Proxy Config for System Account |
+----------------------------------------------------------------------+
Auto Detect Settings : YES
Auto-Configuration URL :
Proxy Server List :
Proxy Bypass List :
+----------------------------------------------------------------------+
| URL Specific Proxy Config |
+----------------------------------------------------------------------+
Auto Detect PAC Status : Failed to auto detect the Proxy Auto-Configuration (PAC) script using WPAD. code: 0x80072f94
Executing Account Name : XXX\DMORELLI$, DMORELLI$@xxx.local
+----------------------------------------------------------------------+
| IE Proxy Config for Current User |
+----------------------------------------------------------------------+
Auto Detect Settings : YES
Auto-Configuration URL :
Proxy Server List :
Proxy Bypass List :
+----------------------------------------------------------------------+
| WinHttp Default Proxy Config |
+----------------------------------------------------------------------+
Access Type : DIRECT
+----------------------------------------------------------------------+
| Ngc Prerequisite Check |
+----------------------------------------------------------------------+
IsDeviceJoined : NO
IsUserAzureAD : NO
PolicyEnabled : NO
PostLogonEnabled : YES
DeviceEligible : YES
SessionIsNotRemote : YES
CertEnrollment : none
PreReqResult : WillNotProvision
I've already:
Checked the Domains and Trusts - There is only one domain and it is a .co.uk and not a string with spaces.
Checked the UPNs using PowerShell - there was only one and the same as above
Checked both the users and devices AD attributes - all correct and no sign on this incorrect UPN suffix
Checked the devices local settings
Cleared all the caches related to the dsregcmd
Ran dsregcmd /leave & /join (both with and without a restart)
Unjoined the device from the domain, deleted all traces in Azure AD (where it appears in a pending state) and rejoined
Checked the firewall for errors
Checked Azure AD Connect sync sync rules- theres a reference to userprinciplename = 'userPrincipleName' so this wasn't any help
Ran through a heap of Microsoft documentation
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Ashlee Sims, Thanks for posting in Q&A. From your description I know you are doing GPO enrollments. Some devices can enroll successfully. But some can't. For the affected device, from the information you provided, it shows the issue is that Microsoft Entra Hybrid joined is failed. The AzureADjoined and AzureAdPrt are all NO.
In general, to enroll devices via GPO enrollment, the devices need to be Microsoft Entra hybrid Joined successfully firstly which means the AzureADjoined, Domainjoined and AzureAdPrt are all Yes.
In the Diagnostic Data, it says the issue occurs in Discover phase. and the error message is "UPN suffix parameter contains spaces:". Please double confirm with the user's UPN to see if any space exists. If yes, remove it in AD and sync again to see if it can work.
Meanwhile, here is a troubleshooting link for Microsoft Entra hybrid join. You can read it as a reference.
https://learn.microsoft.com/en-us/entra/identity/devices/troubleshoot-hybrid-join-windows-current
In addition, to remove previous enrollment information, please also clean the data under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollment.
Please try the above suggestion and if there's any update, feel free to let us know.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@Ashlee Sims, How are things going? If there' s any update, feel free to let us know.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 85%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
Morning,
I have already checked there are no spaces in the users UPN. The server message is the full name of my company.
Server Message : UPN suffix parameter contains spaces: 'Nxxxxxxx Txxxxxxx Exxxxx Lxxxxxxx'
I have now had this issue on another device. I think this is related to dropping the device into the DC OU that has the group policy 'Enable automatic MDM enrollment using default Azure AD credentials' applied it prior to a successful Microsoft Entra Hybrid enrollment. As i had a different device, without the group policy applied stuck in the pending state and dsregcmd /leave & /join worked correctly.
I have removed the group policy from the affected devices but I'm still getting the same error, i am guessing the information is cached on the device somewhere, as dsregcmd /leave and deleting the device from Entra has no affect. It just gets stuck at the same place with the same error message. The device is still acting like the policy is applied.
I've checked HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollment there is only one key value pair 'EnableSettings', im not sure what this does.
I've also checked HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments and tried to delete them but they just reappear.
Is there somewhere it will be storing old group policy data, a way to clean it up?
I believe i have solved this. For some reason applying the MDM enrollment group policy effects the parameters used by Entra to register a device. I'm still not sure where dsregcmd was pulling the UPN suffix from but it was clearly pulling the Tenant name instead. I found the tenant name cached here -
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ\AAD
When i changed this to the UPN Suffix, restarted the device and reran dsregcmd /join, it was successful.
To avoid this in the future, I will ensure that the device has successfully registered in Entra before assigning the MDM enrollment group policy.
@Ashlee Sims, Thanks for sharing the solution. I am glad that the issue is resolved. As you can't mark your own reply as answer. To help others quickly find this solution, please let me write a summary:
Issue:
Windows Laptop Failing to Enroll in Intune (Hybrid Join Issue). The issue occurs in Discover phase. and the error message is "UPN suffix parameter contains spaces:"
Resolution:
Again thanks for your time and have a nice day!
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.